b"                                                                                         MEMORANDUM\n\n\n\nG- ~BB U.S.OFFICE\n    .'f:lB  GOVERNMENT PRINTINGGENERAL\n                  OF INSPECTOR  OFFICE\n\n\n\n\n            Date\n            January 8, 2010\n            To\n            Public Printer\n\n            From\n            Inspector General\n            Subject\n            Report on the Consolidated Financial Statement Audit of the\n            Government Printing Office for Fiscal Years Ended\n            September 30, 2009 and 2008\n            Report Number 10-02\n\n\n            This report contains the audit of the annual consolidated financial\n            statements of the Government Printing Office (GPO) as of  the fiscal years\n            (FY) ended September 30, 2009 and 2008. We contracted with the\n            independent public accounting firm of KPMG LLP (KPMG) to audit the\n            consolidated balance sheet; statement of revenue and expenses; and\n            statement of cash flows for the years then ended. The audits were\n            conducted in accordance with auditing standards generally accepted in the\n            United States; and the standards applicable to financial audits contained in\n            Government Auditing Standards (GAS), issued by the Comptroller General of\n            the United States.\n\n            Results of Independent Audit\n\n            KPMG expressed an unqualified opinion on the GPO consolidated financial\n            statements as ofthe FYs ended September 30, 2009, and 2008, by\n            concluding that the GPO financial statements were fairly presented, in all\n            material respects, in conformity with generally accepted accounting\n            principles (GAAP). KPMG's consideration of              internal control over financial\n            reporting resulted in two significant deficiencies!, which KPMG did not\n\n\n            1 A significant deficiency is a deficiency, or combination of deficiencies, in internal control\n            that is less severe than a material weakness, yet importnt enough to merit attention by\n            those charged with governance. A material weakness is a deficiency, or combination of\n            deficiencies, in internal control, such that there is a reasonable possibilty that a material\n            misstatement of the entity's financial statements will not be prevented, or detected and\n            corrected on a timely basis.\n                                                                                                    GPO Form 731A\n            Keeping America Informed I www.gpo.gov/olg                                                    (R9.07)\n\x0cPublic Printer\nReport 10-02\nJanuary 8,2010\nPage 2 of     5\n\n\n\nconsider to be material weaknesses. Details on these two deficiencies,\nwhich were in the areas of financial reporting, and information technology\nare as follows:\n\n\n1. Financial Reporting Controls\n\nKPMG identified the following significant deficiencies related to financial\nreporting controls.\n\n       \xc2\xb7 Review and Reporting of General Propert, Plant and\n            Equipment. GPO recorded additions to General Property, Plant and\n                                                               ledger based\n            Equipment (PP&E) in its subsidiary ledger and general\n\n            on when cash disbursements were made for the assets instead of\n            recording the PP&E when it was received and accepted by GPO. In\n            addition, GPO recorded two advance payments totaling\n            approximately $4.6 milion as PP&E instead of as an advance.\n\n       \xc2\xb7 Certain Reconcilation Controls. Certain key reconcilations in the\n            areas of expenses, unbiled accounts receivable, accounts payable\n            and deposit accounts were not always performed timely and when\n            performed, differences noted were not consistently investigated and\n            resolved in a timely manner.\n\n       \xc2\xb7 Controls over Compilation of Statement of Cash Flows. Cash\n            flows from operating activities and investing activities in the draft\n            statement of cash flows were each initially misstated by\n            approximately $3.7 milion as a result of GPO misclassifyng certain\n            investing cash flows as operating activities. This mi~classification\n            was corrected in the final statement of cash flows.\n\n2. Information Technology (IT) General and Application Controls\n\nDuring. FY 2009, deficiencies in the design and/or operations of GPO's IT .\ngeneral and application controls were noted in security management, access\ncontrols, configuration management, and contingency planning. The details\nof these conditions, several of which have been reported to management in\nprior years' audit reports, are as follows:\n\n\n      \xc2\xb7 Security Management. GPO made progress in FY 2009 to formalize\n            GPO's established information security objectives and high level\n            policy. However, KPMG noted the following conditions:\n\n                  o GPO's Business Information System (GBIS) and General\n                      Support System (GSS) have not received full authority to\n\x0cPublic Printer\nReport 10-02\nJanuary 8, 2010\nPage 3 of   5\n\n\n\n                     operate in GPO's production environment. During the\n                     certification and accreditation process, conditions were\n                     identified that resulted in the issuance of an Interim Authority\n                     to Operate (IATO). Those conditions were not remediated as\n                     of September 30, 2009. KPMG also observed that: (i) the\n                     security plan for GBIS contained information that did not\n                     adequately reflect current processes in the GBIS environment,\n                     (ii) a section of the security plans for both GBIS and the GSS\n                     was incomplete, and (ii) elements of the risk assessment for\n                     the GSS were incomplete.\n\n             o Security awareness policies and procedures were not\n                     consistently enforced.\n\n\n                o The Memorandum of    Understanding (MOU) that governs the\n                     development, management, operation, and security of the\n                     connection between the National Finance Center (NFC), GPO's\n                     payroll processor, and GPO's hosted system at Oracle's data\n                     center expired in March 2009 and has not been extended or\n                     reaffirmed.\n\n                o GPO did not implement procedures to review and update its\n                   Plans of Action and Milestones (POA&M) for IT security\n                     weaknesses on a quarterly basis.\n\n                o GPO's process for identifyng, recording, and maintaining its\n                     system inventory has not produced a comprehensive, current\n                     inventory of both minor and major systems as well as related\n                     hardware and peripherals.\n\n      \xc2\xb7 Access Controls. KPMG noted the following access controls\n          deficiencies:\n\n                o GPO management was not consistently following documented\n                     policies and procedures for granting and reviewing access to\n                     the data center.\n\n\n                o Access to GBIS was not appropriately restricted and\n                     monitored.\n\n                o GPO did not have adequate user identification controls to\n                   verify the identity of users during phone calls requesting\n                   password resets from the Information Technology and\n                     Support (IT&S) Help Desk.\n\x0cPublic Printer\nReport 10-02\nJanuary 8, 2010\nPage 4 of       5\n\n\n\n                  o Comprehensive policies and procedures for granting access to\n                        the Local Area Network (LAN) had not been developed and\n                        formally documented.\n\n                  o The GPO Computer Security Incident Response Team (CSIRT)\n                     Framework and Procedures did not fully address the elements\n                        outlined in National Institute of Standards and Technology\n                        (NIST) Special Publication (SP) 800-61, Computer Security\n                        Incident Handling Guide.\n\n      \xc2\xb7 Configuration Management. KPMG noted that the development\n            and implementation of configuration changes for GBIS did not adhere\n            to strict project management and configuration management\n            practices. In addition, during FY 2009, GPO management continued\n            the development of a desktop patch management plan which started\n            in FY 2008. However, GPO has not been able to complete the\n            implementation of the patch management plan and process.\n\n      \xc2\xb7 Contingency Planning.                        GPO did not have a completed contingency\n            plan for its GSS that would allow the complete recovery of operations\n            in the event of a major disaster or outage. The IT&S contingency plan\n            and strategy for the GSS was in the process of development.\n            Additionally, GPO IT&S lacked standard operating procedures for\n            several of its routine and critical processes including media backup\n            and off-site storage, and LAN configuration management.\n\nKPMG disclosed no instances of noncompliance with certain provisions of\nlaws, regulations and contracts or other matters that are required to be\nreported under GAS.\n\n\nEvaluation and Monitoring of Audit Performance\n\nWe reviewed the KPMG audit of                         the GPO consolidated financial statements\nby:\n\n       \xc2\xb7 Evaluating the independence, objectivity, and qualiications of                    the\n           auditors and specialists;\n       \xc2\xb7 Reviewing the approach of and planning for the audit;\n       \xc2\xb7 Attending key meetings with auditors and GPO officials;\n       \xc2\xb7 Monitoring the audit progress;\n       \xc2\xb7 Examining audit documentation;\n       \xc2\xb7 Reviewing the auditors' reports; and\n       \xc2\xb7 Reviewing the financial statements and associated footnotes.\n\x0cPublic Printer\nReport 10-02\nJanuary 8, 2010\nPage 5 of     5\n\n\n\nKPMG is responsible for the attached reports dated January 8,2010, and the\nconclusions expressed in the reports. Our review, as differentiated from an\naudit in accordance with GAS, was not intended to enable us to express, and\naccordingly we do not express, an opinion on GPO's financial statements, the\neffectiveness of internal controls, or compliance with laws and regulations.\nHowever, our monitoring review, as limited to the procedures listed above,\ndisclosed no instances in which KPMG did not comply, in all material\nrespects, with GAS.\n\nIf you have any questions or comments about this report, please do not\nhesitate to       contact me, or Mr. Kevin Carson, Assistant Inspector General for\nAudits and Inspections, at (202) 512-2009 or through email at\nkcarson(\xc3\xa1gpo.gov.\n\n\n\n\n\xc3\xa7A4~\nJ. Anthony Ogden\nInspector General\n\nAttachment\n\ncc:\nDeputy Public Printer\nChief Management Officer\nActing Chief of Staff\nActing General Counsel\n\x0c"